It’s No Coincidence That Halloween Falls in National Cyber Security Awareness Month (NCSAM)

I don’t imagine I’m the first to figure that out, but I think it’s a mistake. It’s easy to jump to scary stuff and tricks or treats and draw clever or cute analogies to cybersecurity and Halloween. First though, ever wonder why Halloween doesn’t need a technical sounding acronym…really? NCSAM? But no one ever forgets Halloween or can’t remember what it means exactly. However, ask anyone in November what NCSAM means. You’ll be restarting your NCSAM events to remind everyone.

This year’s theme, “Own IT. Secure IT. Protect IT.’” focuses on the important role every connected citizen plays in cybersecurity. And that’s my concern, NCSAM only promotes cybersecurity awareness for one month. Individuals and organizations must consider matters of security with the utmost importance every day, not just in October. Somehow that makes it less important. Or it makes it important but for a shorter period of time. And let’s not forget the “bad guys” only need to be right once on one day.

We – every connected citizen – must be right every moment, every day in order to stay safe and protect our privacy and security. So, a month of focus just isn’t enough, but rather it is a start. The focus really needs to be on raising the overall awareness around security to make the “bad guys” work harder. Focusing on stopping every single “incident” will prove an exercise in futility. By working to raise awareness and focusing on some simple things that we all can do in our daily lives at home, work, and while on the go, we can make it safer for all of us.

The real lesson for every connected individual and every connected company should be that cybersecurity is not a security issue, it is not an IT issue. It is your issue. For business it is an existential issue. Before you accuse me of hyperbole, let me just point out that ransomware has caused several providers to turn patients away this year and some have permanently closed. And they are not the first. That certainly implies existence for a healthcare organization. Identity theft has not abated, although that might be more of a multi-existential issue – – someone else using your identity to obtain care, drugs, and your money. 

Security is a big issue and can be very complex, certainly in healthcare. But sometimes I wonder if we don’t over complicate it – – even the explanations of why we need to do it and how to do it. We all remember Halloween costumes, candy, trick-or-treating, scary movies, Halloween parties, etc. The things that wrap around NCSAM (say the full explication of NCSAM three times, fast) are multitudinous: Network, application, endpoint devices, incident response, cloud, mobile, physical, identity, access management, wireless, data loss, breach; for Pete’s sake we even have to talk about security awareness as part of security awareness. And that’s just the beginning…having security awareness for one month is not long enough.

 The most difficult challenge in cybersecurity is the ever-evolving nature of security risks themselves. As if that wasn’t enough, we change technology with some frequency, too, which introduces new risks that then “ever-evolve.” Trying to raise awareness in this environment is scarier than most Halloween pranks!

The best approach is not scary at all:

• Keep the awareness messages simple, focus on the top few points you want to make, what people should be focusing on. And be repetitive with them – – but creative.
• Make it personal. If it is only about their work, they get a lot of training related to work, make it about them. Everything you learn in terms of security awareness applies not only to your job but to your data, personally. Let them know this is about them, their kids, their families. This isn’t just for IT and Security teams or even the organization and your patients. It’s also for you.
• Simple, repetitive messages, that apply to my life are the ones I remember. I buckle my seat belt even in the back seat of an Uber. That buckle up for safety campaign still resonates and it stuck because I heard it so many times and it is my safety.
• October will end but that doesn’t mean that your security awareness program needs to stop. Keep it going until September 30^th of 2020 and then you can start National Cybersecurity Awareness Month all over again in October of 2020!

The real trick (and the best treat) is to keep security awareness month a daily event.